86 lines
3.4 KiB
Plaintext
86 lines
3.4 KiB
Plaintext
|
PPP Support for MPPE (Microsoft Point to Point Encryption)
|
||
|
==========================================================
|
||
|
|
||
|
Frank Cusack frank@google.com
|
||
|
Mar 19, 2002
|
||
|
|
||
|
|
||
|
DISCUSSION
|
||
|
|
||
|
MPPE is Microsoft's encryption scheme for PPP links. It is pretty much
|
||
|
solely intended for use with PPP over Internet links -- if you have a true
|
||
|
point to point link you have little need for encryption. It is generally
|
||
|
used with PPTP.
|
||
|
|
||
|
MPPE is negotiated within CCP (Compression Control Protocol) as option
|
||
|
18. In order for MPPE to work, both peers must agree to do it. This
|
||
|
complicates things enough that I chose to implement it as strictly a binary
|
||
|
option, off by default. If you turn it on, all other compression options
|
||
|
are disabled and MPPE *must* be negotiated successfully in both directions
|
||
|
(CCP is unidirectional) or the link will be disconnected. I think this is
|
||
|
reasonable since, if you want encryption, you want encryption. That is,
|
||
|
I am not convinced that optional encryption is useful.
|
||
|
|
||
|
While PPP regards MPPE as a "compressor", it actually expands every frame
|
||
|
by 4 bytes, the MPPE overhead (encapsulation).
|
||
|
|
||
|
Because of the data expansion, you'll see that ppp interfaces get their
|
||
|
mtu reduced by 4 bytes whenever MPPE is negotiated. This is because
|
||
|
when MPPE is active, it is *required* that *every* packet be encrypted.
|
||
|
PPPD sets the mtu = MIN(peer mru, configured mtu). To ensure that
|
||
|
MPPE frames are not larger than the peer's mru, we reduce the mtu by 4
|
||
|
bytes so that the network layer never sends ppp a packet that's too large.
|
||
|
|
||
|
There is an option to compress the data before encrypting (MPPC), however
|
||
|
the algorithm is patented and requires execution of a license with Hifn.
|
||
|
MPPC as an RFC is a complete farce. I have no further details on MPPC.
|
||
|
|
||
|
Some recommendations:
|
||
|
|
||
|
- Use stateless mode. Stateful mode is disabled by default. Unfortunately,
|
||
|
stateless mode is very expensive as the peers must rekey for every packet.
|
||
|
- Use 128-bit encryption.
|
||
|
- Use MS-CHAPv2 only.
|
||
|
|
||
|
Reference documents:
|
||
|
|
||
|
<http://www.ietf.org/rfc/rfc3078.txt> MPPE
|
||
|
<http://www.ietf.org/rfc/rfc3079.txt> MPPE Key Derivation
|
||
|
<http://www.ietf.org/rfc/rfc2118.txt> MPPC
|
||
|
<http://www.ietf.org/rfc/rfc2637.txt> PPTP
|
||
|
<http://www.ietf.org/rfc/rfc2548.txt> MS RADIUS Attributes
|
||
|
|
||
|
You might be interested in PoPToP, a Linux PPTP server. You can find it at
|
||
|
<http://www.poptop.org/>
|
||
|
|
||
|
RADIUS support for MPPE is from Ralf Hofmann, <ralf.hofmann@elvido.net>.
|
||
|
|
||
|
|
||
|
BUILDING THE PPPD
|
||
|
|
||
|
The userland component of PPPD has no additional requirements above
|
||
|
those for MS-CHAP and MS-CHAPv2. The kernel, however, requires SHA-1
|
||
|
and ARCFOUR. Public domain implementations of these are provided.
|
||
|
|
||
|
Until such time as MPPE support ships with kernels, you can use
|
||
|
the Linux 2.2 or 2.4 implementation that comes with PPPD. Run the
|
||
|
ppp/linux/mppe/mppeinstall.sh script, giving it the location to your
|
||
|
kernel source. Then add the CONFIG_PPP_MPPE option to your config and
|
||
|
rebuild the kernel. The ppp_mppe.o module is added, and the ppp.o module
|
||
|
(2.2) or ppp_generic.o (2.4) is modified (unfortunately). You'll need
|
||
|
the new ppp.o/ppp_generic.o since it does the right thing for the 4
|
||
|
extra bytes problem discussed above.
|
||
|
|
||
|
|
||
|
CONFIGURATION
|
||
|
|
||
|
See pppd(8) for the MPPE options. Under Linux, if your modutils is earlier
|
||
|
than 2.4.15, you will need to add
|
||
|
|
||
|
alias ppp-compress-18 ppp_mppe
|
||
|
|
||
|
to /etc/modules.conf. (A patch for earlier versions of modutils is included
|
||
|
with the kernel patches.)
|
||
|
|
||
|
|